[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-linux
Subject:    Re: Linux firewall/IDS/NAT suggestions
From:       terry white <twhite () aniota ! com>
Date:       2003-05-31 23:50:24
[Download RAW message or body]

on "5-30-2003" "Petty, Robert" writ:

... ciao:

: has a glaring hole I don't know about

    that is your first pirority; ongoing security vigilence.  get on the
maillist at 'securityfocus.com'.


: Which kernel would be best? 2.0.x, 2.2.x, or 2.4.x?

    i would suggest the 2.2.25 kernel.  it's stable, runs like a champ,
and at this point in time, pretty secure.  the 2.4.x kernel has just seen
a security problem up-to-and-including 2.4.20.  the suggested fix for
that is the latest 'release-candidtae'.  on a production machine, i don't
think so.


: Should snort be running on the firewall machine

    i like to put all the 'security' stuff on the box that's most
exposed.  then, elinimate any services that are not ABSOLUTELY required,
and make sure the ones that are , are kept secure.


: Should SSH go to the firewall

    ssh is a known, and current attack vector.  if you have to run ssh,
make sure there are no problems wiht it.  a search at securityfocus.com
is worth every bit of time it takes.


: NAT and Firewall rules ... a malicious attacker cannot hide rule changes

    if an attacker has gotten that far, you're hosed.  that suggests
either the rules less than effective, or other security problems exist.
ro media a good idea though; saves a lot of time if you ever do get
compromised.


: be used as a basis?  I would prefer one that starts off more strict

   let me suggest "http://www.bastille-linux.org".  this is a hardening
script that (a) does a great job setting user defined firewall rules, and
perhaps more importantly, (b) offers a very informative tutorial in the
process.

    however:

    bastille has gotten a lot more 'sophisticated' in that, it's trying
to be "all things to all people".  i much prefer the earlier versions,
1.1 and 1.2.  the latest and greatest 'demand' a gui for installation,
and that a limitation i prefer not to embrace.  either way though, it is
the way to go.

    with regard to 'linux'.

    if your firewall has no need for a 'desktop', be "warned" that the
default install of RH-8.0 has UTF-8 encoding.  this fucks up the command
line interface, and causes all sorts of ugly promlems with ncurses.  i am
'told' this problem does not exist in RH-9.0.  they both however, have
the 2.4.x kernel series.  some decisions on your part seem probable ...


-- 
... i'm a man, but i can change,
    if i have to , i guess ...

[prev in list] [next in list] [prev in thread] [next in thread]